Squid 4.0.20 release notes

Squid Developers

This document contains the release notes for version 4 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.

This release adds a dependency on C++11 support in any compiler used to build Squid.
As a result older C++03 -only and most C++0x compilers will no longer build successfully.
GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable.
GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.

This release does not support LibreSSL.
Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes
necessary to support OpenSSL 1.1 prevent building with LibreSSL.

helper-mux.pl we have been distributing for the past few years to
encourage use of concurrency is no longer compatible with Squid. If
used it will spawn up to 2^64 helpers and DoS the Squid server.

Helpers utilizing arrays to handle fixed amounts of concurrency
channels MUST be re-written to use queues and capable of handling a
64-bit int as index or they will be vulnerable to buffer overrun and
arbitrary memory accesses.

32-bit helpers need re-writing to handle the concurrency channel ID
as a 64-bit integer value. If not updated they will cause proxies to
return unexpected results or timeout once crossing the 32-bit wrap
boundary. Leading to undefined behaviour in the client HTTP traffic.

SSLv2 is not fit for purpose. Squid no longer supports being configured with
any settings regarding this protocol. That includes settings manually disabling
its use since it is now forced to disable by default. Also settings enabling
various client/server workarounds specific to SSLv2 are removed.

SSLv3 is not fit for purpose. Squid still accepts configuration, but use
is deprecated and will be removed entirely in a future version.
Squid default behavour is to follow the TLS built in negotiation mechanism
which prefers the latest TLS version. But also to accept downgrades to SSLv3.
Use tls-options=NO_SSLv3 to disable SSLv3 support completely.

A new option tls-min-version=1.N is added in place of sslversion=
to configure the minimum version the TLS negotiation will allow to be used
when an old TLS version is requested by the remote endpoint.

The system Trusted CAs are no longer used by default when verifying client
certificates. The cafile= option should be used instead to load
the specific CA which signed acceptible client certificates explicitly,
even if that CA is one of the system Trusted CAs.
The tls-default-ca option can be used to restore the old
behaviour explicitly if needed.

The basic_msnt_multi_domain_auth helper has been removed. The
basic_smb_lm_auth helper performs the same actions without extra
Perl and Samba dependencies.

The cert_valid.pl testing helper has been renamed to
security_fake_certverify, reflecting the Squid helper naming schema
and that it does not actually perform any certificate checks.

The security_fake_certverify helper is also now built and installed
by default. It is written in Perl so does not require OpenSSL dependencies
for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution.
Building the helper can be controlled using the --enable-security-cert-validators="fake"
option.

The ssl_crtd helper has been renamed to security_file_certgen
and is now built and installed by default whenever OpenSSL support is enabled.
Building the helper can be controlled using the --enable-security-cert-generators="file"
option.
NOTE: The --enable-ssl-crtd option is still required to enable the
sslcrtd_program helper interface within Squid that uses the helper.

The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM".
Notice the upper case where it was previously a (wrongly) lower cased acronym.

To mark an ICAP service as secure, use an icaps:// service URI scheme when
listing your service via an icap_service directive. The industry is using a
Secure ICAP term, and Squid follows that convention, but icaps seems more
appropriate for a scheme name.

Squid uses port 11344 for Secure ICAP by default, following another popular
proxy convention. The old 1344 default for plain ICAP ports has not changed.

Use of C++11 atomic operations instead of GNU atomics allows a wider range of
operating systems and compilers to build Squid SMP and multi-process features.
However this does require a C++11 or C++0x compiler with a recent version of
the C++ standard library.

IpcIo and Mmapped disk I/O modules are now auto-detected properly which
enables Rock storage on more systems by default than previously.

Squid is traditionally refered to as a daemon. But is actually a combination
of daemon and daemon manager processes. This has caused significant problems
integrating it with other third-party daemon managers.

The Squid process which places its PID into the squid.pid file has always
been the process to which control signals are sent. The manager process is
now taking on signal handling instead of the main daemon process. Enabling
integration with daemon managers such as Upstart or systemd which assume the
process they initiated is the daemon with a PID to control.

The squid binary now has a new --foreground command line option
which prevents the process from exiting early while background workers
continue their processing. When run with this option Squid will now wait
for the worker(s) to finish before exiting. Unlike the old -N option
--foreground supports SMP workers and multi-process features.
--foreground is particularly useful for use with -z (disk
cache structures creation), as it allows the caller to wait until Squid has
finished.

If all you need is a proxy that connects over TLS/SSL to a cache_peer
or accepts https:// URLs over clear-text and performs the necessary
upstream TLS connections. Then you now have the choice to build Squid with
GnuTLS instead of OpenSSL.

squid.conf directives and configuration options which have undergone
name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless
explicitly stated otherwise.

Advanced configuration with specific selection of ciphers and similar settings
should still work, but needs the GnuTLS Priority Strings instead of
the OpenSSL options when using GnuTLS.

New directive to limit the size of a table used for sharing information
about collapsible entries among SMP workers.

on_unsupported_protocol

New directive to set the action performed when encountering strange
protocol requests at the beginning of an accepted TCP connection.

reply_header_add

New directive to add header fields to outgoing HTTP responses to
the client.

request_start_timeout

New directive controlling how long Squid waits for the first request
bytes to arrive after initial connection establishment by a client.

server_pconn_for_nonretriable

New directive to provide fine-grained control over persistent connection
reuse when forwarding HTTP requests that Squid cannot retry. It is useful
in environments where opening new connections is very expensive
and race conditions associated with persistent connections are very rare
and/or only cause minor problems.

shared_memory_locking

New directive to ensure shared memory is all available immediately
on startup. Protects against SIGBUS errors, but delays startup.

tls_outgoing_options

New directive to define TLS security context options for outgoing
connections. For example to HTTPS servers.

url_rewrite_timeout

Squid times active requests to redirector. This option sets
the timeout value and the Squid reaction to a timed out
request.